• 2 Posts
  • 24 Comments
Joined 12 days ago
cake
Cake day: June 26th, 2026

help-circle

  • Ignore the downvotes. That’s a fair question to ask, but one that does have answers. Signal is FOSS, has E2EE and was audited several times, so we know that

    • it did not contain any backdoors at the time of the audit
    • it will not for the foreseeable future (they’d be visible in the client code)
    • I need not trust the server code since messages are E2EE

    Thus, while mistakes do happen and can open up severe vulnerabilities, cf. Heartbleed, there’s reason to assume that Signal is relatively secure. Signal’s centralisation of server infrastructure is a valid concern, but not for security, but rather for

    • privacy (they might capture metadata, although it appears they don’t; nation-state actors trying to subpoena user data have so far only gotten “date of registration” and “last online”, which appears to be all they’re storing; that’s as close to “zero knowledge” as you get)
    • availability (as the recent AWS outage has shown, which took out Signal as well)





  • I’ll reply to you since you first brought it up, but it’s a question to anyone here recommending Molly: what makes you cofident that Molly is secure (i.e. they’re not fucking up Signal’s cryptography by accident) and maintained by trustworthy people. Signal does get audits from time to time, Molly doesn’t.

    Mind you, I’m not trying to shit all over Molly; Unified Push looks great. I’m trying to approach this with due caution though.








  • I’ve been a great fan of the project and used it as my daily driver for >5 years. It was stable as heck and the devs were super responsive, even adding in neat features at users’ request.

    That said, I’ve lost trust in the project and moved on to GrapheneOS. The departures of Chirayu Desai and Nick Merrill smell weird from miles away. The latter left without any words of farewell explaining why he’d abandon his own project from one day to the other. I won’t engage in speculation as to what happened behind the scenes, but there are enough red flags here to keep my distance.








  • Thank you! While that does allay most security concerns, it does beg the question how useful such a vulnerability tracker is if it doesn’t actually show any relevant vulnerabilies and you constantly have to second-guess what it says. Warning signs that aren’t actually warnings because it’s “just a false alarm” quickly teach personell to not take warnings seriously - unti, onel day, it’s not a false alarm…